- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Zmauditswatch

Description

Zmauditswatch is a ZCS service that notifies the administrator (through any pre-defined e-mail address) of a potential brute force attack for any account hosted by Zimbra by looking at the authentication failure information. Thresholds can be configured per account, IP and account & IP.

Script Options Explanation

The script ships with 4 authentication failure checks.

(zimbra_swatch_ipacct_threshold) - IP/Account hash check which warns on 10 auth failures from an IP/Account combo within a 60 second window.

(zimbra_swatch_acct_threshold) - Account check which warns on 15 auth failures from any IP within a 60 second window. Attempts to detect a distributed hijack based attack on a single account.

(zimbra_swatch_ip_threshold) - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts.

(zimbra_swatch_total_threshold) - Total auth failure check which warns on 1000 auth failures from any IP to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the Mailbox.

(zimbra_swatch_notice_user) - The email address that we want to be worn when all the conditions happens.

Default values

Configuration

zmauditswatch should be run by the user "zimbra". For use zmauditswatch we need to configure it first.
The only required configuration is zimbra_swatch_notice_user. The other parameters will use defaults if unspecified.

zmlocalconfig -e zimbra_swatch_notice_user=email@domain.com

You can change any of this numbers for accommodate to your environment:

Activate

zmauditswatch is very easy to activate once we configured everything, we just need to start the script:

zmauditswatchctl start

We can stop it

zmauditswatchctl stop

Show the status

zmauditswatchctl status

Workaround for ZCS 8.7.x

Starting Zimbra Collaboration 8.7, parts of the script was moved to another name, which leaded to an error while activating the zmauditswatch, please follow this steps after all the previous configuration ones, plus the zmauditswatchctl start:

Activate it in Boot Sequence

Using Ubuntu 16.04 or CentOS with systemd

Download the next file zmauditswatch.service and save it to the next path /etc/systemd/system/zmauditswatch.service it's very important that you don't have anything on the next path /etc/init.d/zmauditswatch
The zmauditswatch.service looks like the next:

Using Ubuntu 14.04 or CentOS 6

For default zmauditswatch doesn't load at start-up, if we want to keep zmauditswatch activated also if the machine's reboot. We need to download this file Media:Zmauditswatch.tar‎ or create by ourselves:

Examples

Web Client

We will try to attack our Zimbra Lab with one username and bad password, 10 times:

The result will be that the user can't do login anymore for 15 minutes:

The Zmauditswatchctl will send a notification to the email address that we defined before:

If we open the mail, we'll obtain more information

SMTP

Sometimes we don't have a complete report of the SMTP fails, and we can be vulnerable under a brute force or Dictionary attack. With zmauditswatch enabled, we will be capable of obtain a email notification if we have an attack under SMTP.

The Zmauditswatch will send a notification to the email address that we defined before: